Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »

Configure SSH Keys Within FlexDeploy

SSH Key credentials support a private key file upload and an optional input for a passphrase. You will be able to download the public key based on the private key that is uploaded if it is an OpenSSH key. Putty PPK files will not be able to have their public keys downloaded. These credentials can be configured for SSH Key authentication with Endpoints and also GIT Source Control Instances. These credentials are also available for use in custom groovy scripts and workflows (see Referencing SSH Key Values as Properties section for more information).

image-20241008-193015.png

Input Name

Description

Input Type

Required

SSH Key

SSH Key which will have its content stored in encrypted format. Before encrypting, FlexDeploy will convert all End of Line characters to Unix.

File

Yes

Passphrase

Passphrase for accessing the SSH key (optional, also stored in an encrypted format).

Text

No

Referencing SSH Key Values As Properties

An SSH Key credential that is assigned to an encrypted property within FlexDeploy can be referenced for property replacement or groovy variables. In order to reference the private key, then only the property code can be used. If you want to access the passphrase, then attach the suffix _PASSPHRASE (case sensitive) to the property code.

For example, we have an encrypted property on this workflow with the code ENDPOINT_SSH_KEY.

image-20241008-182404.png

We could have a step in our workflow to execute some sort of shell script that will make an SSH connection using the property configured on the project. Below is an example of referencing our property in a groovy script, but it would be similar for environment variables or property replacement within files. For accessing the private key then we would use the code ENDPOINT_SSH_KEY. For accessing the passphrase, then it would be ENDPOINT_SSH_KEY_PASSPHRASE. Note that if referencing the passphrase like this, it could fail if the actual value of the property during execution is not an SSH Key type credential.

image-20241008-182946.png

Trouble Shooting SSH Key Credentials

Permission denied (publickey)

This error shows up when trying to connect to a GIT repository.

image-20241008-202837.png

The most common reasons for this error happening are

A couple of other reasons could be

  • The system that is authenticating with GIT has an old version of OpenSSH (could use SHA-1 signing of keys) that does not support handling keys generated from a newer version (SHA-2 signature). This could result in a newer SHA-2 signed key trying to be accessed by an older version of OpenSSH that is only aware of SHA-1 signing. Additionally, most GIT providers will only accept SHA-2 signed keys. Please ensure that the OpenSSH version installed is 8.0+ on systems that will be performing GIT operations.

  • The system that is authenticating with GIT is Windows-based and is running a version of OpenSSH that is less than 8.4. Please see the Executing On Windows Endpoint With Git Plugin section below.

Executing On Windows Endpoint With GIT Plugin

When executing GIT plugin operations on a Windows system, FlexDeploy uses the SSH_ASKPASS_REQUIRE environment variable to supply the passphrase of the private key. This environment variable was introduced in OpenSSH 8.4. For endpoints that are Windows based, it is recommended that the OpenSSH version should be 8.4+. If the version is <8.4, then trying to use SSH Keys with passphrases will not work when trying to connect to GIT repositories, and will result in an error that includes the message Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. which could be misleading as there are many factors that will cause that error message. Note that this is not limited to just with the GIT plugin, as trying to make an SSH connection through a batch script within a workflow could result in a similar issue if trying to use the SSH_ASKPASS_REQUIRE environment variable.

Groovy Functions

For any groovy script that has access to the FLEXDEPLOY variable, there are methods for accessing the plain text values of a given credential id or name. Note that using these methods to grab the values for Endpoint-scoped credentials is prevented.

Method

Description

FLEXDEPLOY.getCredentialSecretTextValueById(credentialId)

Returns the plain text value String of the given Credential id. The id must belong to a credential of type Secret Text.

FLEXDEPLOY.getCredentialSecretTextValueByName(credentialName)

Returns the plain text value String of the given Credential name. The name must belong to a credential of type Secret Text.

FLEXDEPLOY.getCredentialValueById(credentialId)

Returns an object containing the plain text values depending on the credential type of the provided id.

Secret Text -> CredentialSecretTextValuePojo

SSH Key → CredentialSshKeyValuePojo

Certificate → CredentialCertificateValuePojo

FLEXDEPLOY.getCredentialValueByName(credentialName)

Returns an object containing the plain text values depending on the credential type of the provided name.

Secret Text -> CredentialSecretTextValuePojo

SSH Key → CredentialSshKeyValuePojo

Certificate → CredentialCertificateValuePojo

CredentialSecretTextValuePojo

Method

Description

getSecretText()

Returns the unencrypted String secret text value of this credential.

CredentialSshKeyValuePojo

Method

Description

getSshKey()

Returns the unencrypted private key value of this credential.

getSshKeyPassphrase()

Returns the unencrypted passphrase value of this credential.

CredentialCertificateValuePojo

Method

Description

getCertificate()

Returns the unencrypted certificate value of this credential.

getCertificatePassword()

Returns the unencrypted password value of this credential.

  • No labels